IT Matters - The need to mitigate data breaches and cyberattacks
June 07, 2017
By Sanjaya Kumar and Chandrashekar Bilugu
Today’s health care industry depends on information systems – from clinical applications such as EMR/CPOE systems, to specialized radiology, pharmacy, laboratory systems, to billing and scheduling systems, etc.
The accessibility of data and interoperability from such systems is resulting in increased productivity, efficiency, improved quality of care and ensuring safe patient care.
Health care organizations are a top target for hackers due to their inherent vulnerability, with cyberattacks becoming more focused and sophisticated. Health care records are a treasure trove of data for identity thieves. Health records are popular targets for their high potential for exploitation through identity theft, insurance fraud, stolen prescriptions, ransom attacks and dangerous hoaxes.
According to Reuters, on the black market, medical information is sold for more than 10 times your credit card number. Continuous dependency on information systems also makes health care organizations prime targets for ransomware attacks. The “wannacry” attack encrypted key patient data within hospital systems, crippling operations.
Several assessments and surveys have highlighted that health care organizations in the U.S. are at great risk today for cyberattacks and there are limited mitigating safeguards in place to ensure continuity of operations. It has also been highlighted that investments to safeguard systems and data by health care organizations come at an increasingly exorbitant cost in the era of shrinking margins. However, with significant HIPAA fines and penalties being enforced for PHI data breaches and noncompliance with established standards, health care organizations are left with few choices but to enforce compliance and strengthen key processes to plug vulnerabilities and mitigate cyberattacks.
There are nearly 250 HIPAA privacy and security controls that require continuous monitoring by covered entities and their business associates (who, in turn, are now also liable for inadvertent exposure of PHI).
• The top three major gaps in processes and failures at health care organizations are related to: * Not establishing and maintaining required documentation (49.4 percent).* Lack of evidence of adequate data and information management (26.5 percent).Lack of notification, training and responsiveness (10.5 percent).
Data on breaches also highlight that data security failures originate from both inside and outside of the organization given the dependency on a varied number of business associates and vendors that health care organizations contract with.
In 2016, 43 percent of data breaches were the result of insiders – either the result of simple human error or actual malicious wrongdoing. Hacking and ransomware were responsible for 26.8 percent of breaches, although this number is likely underreported and very much on the rise. While covered entities are not technically liable for security breaches at a business associate, there are many reasons why it pays to select business associates who take data privacy seriously.
Condider the following five key safeguards and processes to establish for mitigating data breaches and cyberattacks:
• Establish continuous security control compliance assessments, evaluation of gaps and remediation due diligence processes at your health care organizations systemwide. Health care organizations currently only do periodic assessments of their controls. Vulnerabilities are identified, but required remediation to fix the gaps is not acted upon in a timely fashion. It would be ideal to have health care organizations establish a SWAT team-like approach to identify gaps and get them fixed. The longer the gap is present on your information systems, the increased likelihood of you becoming the next victim of a data breach or ransomware cyberattack.
• Exercise your audit rights with your business associates. While most business associate agreements include the right for a covered entity to audit the business associate’s security compliance processes, not many do this. Utilizing a closed-loop, third-party auditing software is ideal for this as all the information, communication and evidence of compliance will be logged and trackable. Document all PHI sent to third parties and pay special attention to the management (and appropriate renewals) of business associate agreements across the health care system.
• Require approval for subcontractors. Often, business associates have the discretion to utilize subcontractors to fulfill the work. This adds another layer in an already complex relationship, and subcontractors are not always bound by the same guidelines of the BAA signed by the covered entity. Require notification and consent with the option to terminate the agreement, if needed.
• Be proactive as opposed to reactive with what devices are on your network and their state of compliance. Establish tools that can identify threats at your endpoints and protect them continuously. With very few good solutions on the market, endpoint security is emerging as the next frontier for health care organizations to address.
• Conduct good governance both internally and externally. The work doesn’t end with a signed business associate agreement or an assessment of your organization. Agree upon enforcement and monitoring practices, such as periodic audits and other controls you need to comply with.
About the authors: Sanjaya Kumar, M.D., is the chief medical informatics officer and Chandrashekar Bilugu is the chief technology officer at Aegify, Inc.
Today’s health care industry depends on information systems – from clinical applications such as EMR/CPOE systems, to specialized radiology, pharmacy, laboratory systems, to billing and scheduling systems, etc.
The accessibility of data and interoperability from such systems is resulting in increased productivity, efficiency, improved quality of care and ensuring safe patient care.
Health care organizations are a top target for hackers due to their inherent vulnerability, with cyberattacks becoming more focused and sophisticated. Health care records are a treasure trove of data for identity thieves. Health records are popular targets for their high potential for exploitation through identity theft, insurance fraud, stolen prescriptions, ransom attacks and dangerous hoaxes.
According to Reuters, on the black market, medical information is sold for more than 10 times your credit card number. Continuous dependency on information systems also makes health care organizations prime targets for ransomware attacks. The “wannacry” attack encrypted key patient data within hospital systems, crippling operations.
Several assessments and surveys have highlighted that health care organizations in the U.S. are at great risk today for cyberattacks and there are limited mitigating safeguards in place to ensure continuity of operations. It has also been highlighted that investments to safeguard systems and data by health care organizations come at an increasingly exorbitant cost in the era of shrinking margins. However, with significant HIPAA fines and penalties being enforced for PHI data breaches and noncompliance with established standards, health care organizations are left with few choices but to enforce compliance and strengthen key processes to plug vulnerabilities and mitigate cyberattacks.
There are nearly 250 HIPAA privacy and security controls that require continuous monitoring by covered entities and their business associates (who, in turn, are now also liable for inadvertent exposure of PHI).
• The top three major gaps in processes and failures at health care organizations are related to: * Not establishing and maintaining required documentation (49.4 percent).* Lack of evidence of adequate data and information management (26.5 percent).Lack of notification, training and responsiveness (10.5 percent).
Data on breaches also highlight that data security failures originate from both inside and outside of the organization given the dependency on a varied number of business associates and vendors that health care organizations contract with.
In 2016, 43 percent of data breaches were the result of insiders – either the result of simple human error or actual malicious wrongdoing. Hacking and ransomware were responsible for 26.8 percent of breaches, although this number is likely underreported and very much on the rise. While covered entities are not technically liable for security breaches at a business associate, there are many reasons why it pays to select business associates who take data privacy seriously.
Condider the following five key safeguards and processes to establish for mitigating data breaches and cyberattacks:
• Establish continuous security control compliance assessments, evaluation of gaps and remediation due diligence processes at your health care organizations systemwide. Health care organizations currently only do periodic assessments of their controls. Vulnerabilities are identified, but required remediation to fix the gaps is not acted upon in a timely fashion. It would be ideal to have health care organizations establish a SWAT team-like approach to identify gaps and get them fixed. The longer the gap is present on your information systems, the increased likelihood of you becoming the next victim of a data breach or ransomware cyberattack.
• Exercise your audit rights with your business associates. While most business associate agreements include the right for a covered entity to audit the business associate’s security compliance processes, not many do this. Utilizing a closed-loop, third-party auditing software is ideal for this as all the information, communication and evidence of compliance will be logged and trackable. Document all PHI sent to third parties and pay special attention to the management (and appropriate renewals) of business associate agreements across the health care system.
• Require approval for subcontractors. Often, business associates have the discretion to utilize subcontractors to fulfill the work. This adds another layer in an already complex relationship, and subcontractors are not always bound by the same guidelines of the BAA signed by the covered entity. Require notification and consent with the option to terminate the agreement, if needed.
• Be proactive as opposed to reactive with what devices are on your network and their state of compliance. Establish tools that can identify threats at your endpoints and protect them continuously. With very few good solutions on the market, endpoint security is emerging as the next frontier for health care organizations to address.
• Conduct good governance both internally and externally. The work doesn’t end with a signed business associate agreement or an assessment of your organization. Agree upon enforcement and monitoring practices, such as periodic audits and other controls you need to comply with.
About the authors: Sanjaya Kumar, M.D., is the chief medical informatics officer and Chandrashekar Bilugu is the chief technology officer at Aegify, Inc.